Link List

Sponsored by..

Thursday, 19 March 2015

Malware spam: "sales@marflow.co.uk" / "Your Sales Order"

This spam run pretends to come from Marflow Engineering but it doesn't, instead it is a simple forgery. Marflow are not sending out this email, nor have their systems been compromised in any way.

From: sales@marflow.co.ukDate: 19 March 2015 at 09:13Subject: Your Sales Order

Your order acknowledgment is attached.

Please check carefully and advise us of any issues.

Best regards

Marflow

Attached is a file 611866.xls which appears to come in at least three different versions. But due to an error in the way the spam has been created, the attachment is actually corrupt and (depending on your version of Excel) attempting to open it gives this error:

The file you are trying to open, '611866.xls', is in a different format than specified by the file extension. Verify that the file is not corrupted and is from a trusted source before opening the file. Do you want to open the file now?

Clicking OK loads up what looks like gobbledegook.

If you see this, then you have had a lucky escape because the attachment is in the wrong format and is Base 64 encoded. If you manually run a Base 64 decoder against it then you end up with a malicious XLS file, in one of three different flavours with low detection rates [1][2][3] which in turn each contain a slightly different malicious macro [1][2][3] which then attempt to download from the following locations:

This is saved in the %TEMP% folder under the filenames pirit86.exe, tikapom64.exe and Trekaldo51.exe (although the binary is the same in each case). This malicious binary has a detection rate of just 2/57 and according to the Malwr report, it phone home to the following IPs: